In Serbia, the Police, Military Security Agency (VBA) and Security Information Agency (BIA) have unrestricted access to the users of Internet Service Providers (ISP) and telecom companies. But it is difficult to decide if the access is based on law.
It is usually observed that the police and intelligence agencies are thought to get court orders to get access to online user’s private data. However, in Serbia, it is not clear that either they make an effort to do so or not.
The Serbian legislation sets limits and boundaries on the circumstances under which the national and government authorities such as police, security agency or even military security agency can call for data but the request must have the orders from court, however, in reality, the situation is not like this.
The legal and policy director of Share Foundation, a non-profit organization (NPO) who is very much keen to protect and safeguards the citizen’s internet rights has shown serious concern towards this matter and has said:
State authorities have the de facto ability to access our private data without a court decision.
What actually are the laws in Serbia?
Although Serbia is outside the European Union but still they have implemented the data retention laws on its citizen. The data retention laws in Serbia are based on Serbia’s Law on Electronic Communications. The Serbian government adopted the mandatory data retentions in 2010. Under this law, the countries internet service providers are compelled to retain the user’s data for a year and after the allocated time they can delete the data.
In 2012, regarding the Serbian data retention laws, a Commissioner’s report was presented. According to this report, the telephone service providers share user’s personal data. The personal data includes national ID numbers and addresses. Moreover, some also share cell phone activity data, caller and receiver’s number, call duration along with date and time, the phone’s identifier i.e. IMEI, also details about the base stations from where the call has been forwarded, service type, identity details of both the parties, list of SIM cards which have been used in the existing device for last year.
How to access the data?
According to the data retention directives in Serbia if someone wants to get access to retained data they have to follow the given set of instructions. If a police or a security personnel want to access the data so, they need judicial authorization. Another way of getting the access is to simply submit a request which should clearly explain that which data the concerned authorities or law enforcement agencies wants to have. This also includes a determination of judicial order allowing it. These requests can be submitted via fax, email, and phone or by any person.
The higher authorities and law enforcement agencies can also access the data via direct access. The different State Institutions can acquire user’s names and passwords to get into the service provider’s internal systems and permitting them to access the stored data at any time.
The mandatory data retentions laws were violating the basic human rights of internet privacy. These laws were highly criticized by not only the people of Serbia but also by various politicians and member of Parliament too. The opposition parties criticized this as unconstitutional and as result, these laws were declared as unconstitutional by the Serbian court.